Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware/adware Pop-ups


  • This topic is locked This topic is locked
11 replies to this topic

#1 LostInSeattle

LostInSeattle

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 05 April 2006 - 06:56 PM

I have run several malware/adware/virus programs but still have loads of pop-ups getting through unless I have ZoneAlarm locked. Everytime I run these programs they always find infections (Look2Me is a favorite) but cannot delete them. Typical pop-ups are ones ending in YYY65, BFAST, COMMISSION-JUNCTION, FASTCLICK and LINKSYNERGY.

I would greatly appreciate any assistance as I am at wits end and have little knowledge as to what I should do. Thanks!!

Logfile of HijackThis v1.99.1
Scan saved at 4:47:54 PM, on 04/05/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.234\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msn.com/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cable-lynx.net:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\Administrator\Desktop\Dad's Stuff\Misc Programs\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QMusic2] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [System Update Service] system.pif
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\RunServices: [System Update Service] system.pif
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124494787421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124494768859
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: Reinstall - C:\WINNT\system32\l8l6li3s18.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: Mouse Movement Monitor (mousemm) - Unknown owner - C:\WINNT\system32\mousemm.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcsvc) - Unknown owner - C:\WINNT\system32\rpcsvc.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe (file missing)
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:09 AM

Posted 06 April 2006 - 02:58 AM

Hello and welcome to the site.. Lets get started. :thumbsup:

==

Please print these instructions out, or save them to a notepad file, as you can't read them during the fix.

Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

Please run a scan with Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily. (Maybe Desktop)
  • Close Ewido Anti-Malware.
==

Now, reboot back into Normal mode, open the Report.txt file and copy & paste it's content to this thread along with a fresh HijackThis log. :flowers:
Hi there, stranger!

#3 LostInSeattle

LostInSeattle
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 06 April 2006 - 05:35 PM

Thanks for the help, it is much appreciated!!

Here is the Ewido Report followed by the HJT report which I did immediately after the Ewido scan while still in Safe Mode. Hope that's okay. As soon as I rebooted I received a detection from Ewido for Adware.Look2Me under file name nbrstr.dll.


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:17:41 PM, 04/06/2006
+ Report-Checksum: 9849639F

+ Scan result:

[428] C:\WINNT\system32\iiagx5.dll -> Adware.Look2Me : Error during cleaning
[452] C:\WINNT\system32\iiagx5.dll -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@www.epilot[1].txt -> TrackingCookie.Epilot : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0X2RSTIV\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4HIJKXMZ\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup
C:\WINNT\system32\az14073qe.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\dn2401fqe.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\fp4o03h3e.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\g604lgdq160e.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\h4l20e3oeh.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\hoomem07.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\ir0ml5d11.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\j8l40i3qe8.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\jtl4073qe.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\k4260efseh260.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\k4lq0e35eh.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\ktl4l73q1.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\lv2009fme.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\msicda.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\p46slej71ho.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\pdspl.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\rnched20.dll -> Adware.Look2Me : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 3:20:36 PM, on 04/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.610\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msn.com/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cable-lynx.net:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\Administrator\Desktop\Dad's Stuff\Misc Programs\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QMusic2] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [System Update Service] system.pif
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\RunServices: [System Update Service] system.pif
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124494787421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124494768859
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: App Management - C:\WINNT\system32\d60mlgd1160.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: Mouse Movement Monitor (mousemm) - Unknown owner - C:\WINNT\system32\mousemm.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcsvc) - Unknown owner - C:\WINNT\system32\rpcsvc.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe (file missing)
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:09 AM

Posted 07 April 2006 - 07:37 AM

Lets continue. :thumbsup:

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Removeservice.bat. to your desktop.

@echo off
sc stop "Mouse Button Monitor"
sc stop "Mouse Movement Monitor"
sc stop "Microsoft SSL"
sc stop "Windows Remote Procedure Call Monitoring Service"
sc stop "Service Hosts"
sc stop netinfo
sc delete mousebm
sc delete mousemm
sc delete ssl
sc delete rpcsvc
sc delete netinfo
sc delete ServiceHost


Double-click on Removeservice.bat. A window will pop up and close. This is normal.

==

Please download Look2Me-Destroyer to your desktop.

Before continuing with the fix there is something you must do:
  • Click Start -> Run and type in: services.msc
  • Check that the following services are running and that their startup is set to automatic:
  • Seclogon, or Secondary logon service
  • Next your machine needs to be offline, manually disconnect the network cable if necessary.
  • Your antivirus, and every other security software MUST be disabled.
Now continue:
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Re-launch your Anti-virus/Firewall protection.
  • Re-connect back to the internet.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log. :flowers:
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
Hi there, stranger!

#5 LostInSeattle

LostInSeattle
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 11 April 2006 - 01:52 AM

Sorry for the delay. We are in the process of moving so my replies may be sporadic.

I began following the steps as you indicated but when I checked 'Services', I could not find Seclogon or Secondary Logon Service so I did not continue past this step. I copied what was in 'Services' in case you needed to see it:

Name Description Status Startup Type Log On As
Adobe LM Service AdobeLM Service Manual LocalSystem
Alerter Notifies selected users and computers of administrative alerts. Started Automatic LocalSystem
Application Management Provides software installation services such as Assign, Publish, and Remove. Manual LocalSystem
Automatic Updates Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. Started Automatic LocalSystem
AVG7 Alert Manager Server Started Automatic LocalSystem
AVG7 Update Service Started Automatic LocalSystem
Background Intelligent Transfer Service Transfers files in the background using idle network bandwidth. If the service is disabled, then any functions that depend on BITS, such as Windows Update or MSN Explorer will be unable to automatically download programs and other information. Manual LocalSystem
ClipBook Supports ClipBook Viewer, which allows pages to be seen by remote ClipBooks. Manual LocalSystem
COM+ Event System Provides automatic distribution of events to subscribing COM components. Started Manual LocalSystem
Computer Browser Maintains an up-to-date list of computers on your network and supplies the list to programs that request it. Started Automatic LocalSystem
DHCP Client Manages network configuration by registering and updating IP addresses and DNS names. Started Automatic LocalSystem
Distributed Link Tracking Client Sends notifications of files moving between NTFS volumes in a network domain. Started Automatic LocalSystem
Distributed Transaction Coordinator Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers. Manual LocalSystem
DNS Client Resolves and caches Domain Name System (DNS) names. Started Automatic LocalSystem
Event Log Logs event messages issued by programs and Windows. Event Log reports contain information that can be useful in diagnosing problems. Reports are viewed in Event Viewer. Started Automatic LocalSystem
ewido security suite control Starting Automatic LocalSystem
ewido security suite guard Automatic LocalSystem
Fax Service Helps you send and receive faxes Manual LocalSystem
Indexing Service Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language. Manual LocalSystem
Intel® Active Monitor Automatic LocalSystem
Internet Connection Sharing Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection. Disabled LocalSystem
IPSEC Policy Agent Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Started Automatic LocalSystem
Logical Disk Manager Logical Disk Manager Watchdog Service Started Automatic LocalSystem
Logical Disk Manager Administrative Service Administrative service for disk management requests Manual LocalSystem
Messenger Sends and receives messages transmitted by administrators or by the Alerter service. Disabled LocalSystem
Microsoft SSL Provides communication security between clients and servers over TCP. If this service is stopped, TCP security between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depend on it will fail to Automatic LocalSystem
Mouse Button Monitor Enables a computer to maintain synchronization with a PS/2 pointing device. Stopping or disabling this service will result in system instability. Automatic LocalSystem
Mouse Movement Monitor Enables a computer to maintain synchronization with a PS/2 pointing device. Stopping or disabling this service will result in system instability. Automatic LocalSystem
Net Logon Supports pass-through authentication of account logon events for computers in a domain. Manual LocalSystem
netinfo Internet Info Service Automatic LocalSystem
NetMeeting Remote Desktop Sharing Allows authorized people to remotely access your Windows desktop using NetMeeting. Manual LocalSystem
Network Connections Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. Started Manual LocalSystem
Network DDE Provides network transport and security for dynamic data exchange (DDE). Manual LocalSystem
Network DDE DSDM Manages shared dynamic data exchange and is used by Network DDE Manual LocalSystem
NT LM Security Support Provider Provides security to remote procedure call (RPC) programs that use transports other than named pipes. Manual LocalSystem
NVIDIA Display Driver Service Provides system and desktop level support to the NVIDIA display driver Started Automatic LocalSystem
Performance Logs and Alerts Configures performance logs and alerts. Manual LocalSystem
Plug and Play Manages device installation and configuration and notifies programs of device changes. Started Automatic LocalSystem
Portable Media Serial Number Service Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device. Manual LocalSystem
Print Spooler Loads files to memory for later printing. Started Automatic LocalSystem
Protected Storage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Started Automatic LocalSystem
QoS RSVP Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets. Manual LocalSystem
Remote Access Auto Connection Manager Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Manual LocalSystem
Remote Access Connection Manager Creates a network connection. Started Manual LocalSystem
Remote Procedure Call (RPC) Provides the endpoint mapper and other miscellaneous RPC services. Started Automatic LocalSystem
Remote Procedure Call (RPC) Locator Manages the RPC name service database. Manual LocalSystem
Remote Registry Service Allows remote registry manipulation. Disabled LocalSystem
Removable Storage Manages removable media, drives, and libraries. Started Automatic LocalSystem
Routing and Remote Access Offers routing services to businesses in local area and wide area network environments. Disabled LocalSystem
RunAs Service Enables starting processes under alternate credentials Started Automatic LocalSystem
Security Accounts Manager Stores security information for local user accounts. Started Automatic LocalSystem
Server Provides RPC support and file, print, and named pipe sharing. Started Automatic LocalSystem
Service Hosts Service Hosts Automatic LocalSystem
Smart Card Manages and controls access to a smart card inserted into a smart card reader attached to the computer. Manual LocalSystem
Smart Card Helper Provides support for legacy smart card readers attached to the computer. Manual LocalSystem
System Event Notification Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Started Automatic LocalSystem
Task Scheduler Enables a program to run at a designated time. Started Automatic LocalSystem
TCP/IP NetBIOS Helper Service Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Started Automatic LocalSystem
Telephony Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. Started Manual LocalSystem
Telnet Allows a remote user to log on to the system and run console programs using the command line. Disabled LocalSystem
TrueVector Internet Monitor Monitors internet traffic and generates alerts for disallowed access. Started Automatic LocalSystem
Uninterruptible Power Supply Manages an uninterruptible power supply (UPS) connected to the computer. Manual LocalSystem
Utility Manager Starts and configures accessibility tools from one window Manual LocalSystem
Windows Installer Installs, repairs and removes software according to instructions contained in .MSI files. Manual LocalSystem
Windows Management Instrumentation Provides system management information. Started Automatic LocalSystem
Windows Management Instrumentation Driver Extensions Provides systems management information to and from drivers. Started Manual LocalSystem
Windows Remote Procedure Call Monitoring Service Provides reliability and uptime monitoring for components that use the RPC subsystem. If this service is stopped, RPC communication between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depe Automatic LocalSystem
Windows Time Sets the computer clock. Manual LocalSystem
Wireless Configuration Provides authenticated network access control using IEEE 802.1x for wired and wireless Ethernet networks. Manual LocalSystem
WMDM PMSP Service Started Automatic LocalSystem
Workstation Provides network connections and communications. Started Automatic LocalSystem


Awaiting further instructions. Thanks again!

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:09 AM

Posted 11 April 2006 - 07:17 AM

Yes, sorry, that was my mistake, the service I should've asked you to look for is: RunAs

Then run Look2Me-Destroyer. :thumbsup:
Hi there, stranger!

#7 LostInSeattle

LostInSeattle
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 13 April 2006 - 01:49 AM

Okay... seems to be running much better already. No pop-ups yet!

Here are the 2 logs:


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/12/2006 11:35:02 PM

Infected! C:\WINNT\system32\l0j80a1ued.dll
Infected! C:\WINNT\system32\chpbk32.dll
Infected! C:\WINNT\system32\l0j80a1ued.dll
Infected! C:\WINNT\system32\mv6ml9j11.dll

Attempting to delete infected files...

Attempting to delete: C:\WINNT\system32\l0j80a1ued.dll
C:\WINNT\system32\l0j80a1ued.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\chpbk32.dll
C:\WINNT\system32\chpbk32.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\l0j80a1ued.dll
C:\WINNT\system32\l0j80a1ued.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\mv6ml9j11.dll
C:\WINNT\system32\mv6ml9j11.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServices

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CFB65FE5-CD55-4A5E-A070-14D49975E82A}"
HKCR\Clsid\{CFB65FE5-CD55-4A5E-A070-14D49975E82A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{506F7E2A-1745-4FC8-AD09-58166B70DE25}"
HKCR\Clsid\{506F7E2A-1745-4FC8-AD09-58166B70DE25}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{022838AF-C1E5-426B-A0A9-C041937CEF39}"
HKCR\Clsid\{022838AF-C1E5-426B-A0A9-C041937CEF39}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{83DBC6A6-D8BA-45B6-A663-963CA7511EE0}"
HKCR\Clsid\{83DBC6A6-D8BA-45B6-A663-963CA7511EE0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6EFAD655-2BEE-469E-979C-C176D5B3431D}"
HKCR\Clsid\{6EFAD655-2BEE-469E-979C-C176D5B3431D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{470CB261-494E-4153-A847-59C8E63A50FF}"
HKCR\Clsid\{470CB261-494E-4153-A847-59C8E63A50FF}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{773AB7A5-D4F5-4F6F-8301-46613BF3A7C0}"
HKCR\Clsid\{773AB7A5-D4F5-4F6F-8301-46613BF3A7C0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{16F9CA29-A60B-48B9-BE15-26C1B425A406}"
HKCR\Clsid\{16F9CA29-A60B-48B9-BE15-26C1B425A406}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0419B4DF-E381-4758-A55D-0E52FF2998A3}"
HKCR\Clsid\{0419B4DF-E381-4758-A55D-0E52FF2998A3}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BA141FAB-2DD4-4B20-A162-4A6DC2CD20D0}"
HKCR\Clsid\{BA141FAB-2DD4-4B20-A162-4A6DC2CD20D0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2A4ABF24-FD01-4075-B8A0-494363F5EC7E}"
HKCR\Clsid\{2A4ABF24-FD01-4075-B8A0-494363F5EC7E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{98A6D0E9-9348-4D3F-A3C0-87DFE9BBF8DB}"
HKCR\Clsid\{98A6D0E9-9348-4D3F-A3C0-87DFE9BBF8DB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6924A3CD-7C64-4508-AE5E-9368C47C622B}"
HKCR\Clsid\{6924A3CD-7C64-4508-AE5E-9368C47C622B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{214E130A-C5F4-4B54-B1F4-BF0D4E6D1171}"
HKCR\Clsid\{214E130A-C5F4-4B54-B1F4-BF0D4E6D1171}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{406B44A9-B09D-4D5A-8EFA-B1F6BBB545C6}"
HKCR\Clsid\{406B44A9-B09D-4D5A-8EFA-B1F6BBB545C6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CB8E87D4-DA75-4FAC-9442-0485D3A69F58}"
HKCR\Clsid\{CB8E87D4-DA75-4FAC-9442-0485D3A69F58}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7E87CE82-B5F3-4CFE-A9FC-08B2007283EA}"
HKCR\Clsid\{7E87CE82-B5F3-4CFE-A9FC-08B2007283EA}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9DD6EA2F-DEE4-494B-9D57-8D7771801805}"
HKCR\Clsid\{9DD6EA2F-DEE4-494B-9D57-8D7771801805}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded




Logfile of HijackThis v1.99.1
Scan saved at 11:47:25 PM, on 04/12/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.594\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msn.com/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cable-lynx.net:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Documents and Settings\Administrator\Desktop\Dad's Stuff\Misc Programs\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QMusic2] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [System Update Service] system.pif
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\RunServices: [System Update Service] system.pif
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124494787421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124494768859
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: Mouse Movement Monitor (mousemm) - Unknown owner - C:\WINNT\system32\mousemm.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcsvc) - Unknown owner - C:\WINNT\system32\rpcsvc.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe (file missing)
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe


Thanks!

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:09 AM

Posted 13 April 2006 - 08:22 AM

Well, those services didn't quite go..

Go ahead and uninstall Ewido aswell as delete Look2Me-Destroyer. :thumbsup:

==

Please run a scan with HijackThis and check the following objects for removal:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
O4 - HKCU\..\Run: [System Update Service] system.pif
O4 - HKCU\..\RunServices: [System Update Service] system.pif
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: Mouse Movement Monitor (mousemm) - Unknown owner - C:\WINNT\system32\mousemm.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINNT\netinfo.exe (file missing)
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcsvc) - Unknown owner - C:\WINNT\system32\rpcsvc.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINNT\shost.exe (file missing)
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)


Now close ALL other open windows except for HijackThis and hit FIX CHECKED.

==

Next, please do the following:

Then let's delete the services:
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete an NT service"
  • Copy and paste this in: ServiceHost
  • Click "NO" on the promp and paste ALL the following services (one at-a-time):

    ssl
    rpcsvc
    netinfo
    mousemm
    mousebm
When you get to the last service, click "YES" on the prompt and reboot.
==

Post back with a fresh HijackThis log. :flowers:
Hi there, stranger!

#9 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:09 AM

Posted 19 April 2006 - 10:23 AM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this Topic reopened, please PM a Staff member with the address of this thread.
Hi there, stranger!

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:09 AM

Posted 20 April 2006 - 07:43 AM

Topic opened due to user request. :thumbsup:

Issue with the services..

Before deleting through HJT, can you please do this:


Click Start -> Run and type in: services.msc

Click "OK".

In the services window find service (one at-a-time); Service Hosts
Microsoft SSL
Windows Remote Procedure Call Monitoring Service
netinfo
Mouse Button Monitor
Mouse Movement Monitor


Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok" (For each of the services). Exit the Services utility.

Now try deleting through HJT. :flowers:
Hi there, stranger!

#11 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:09 AM

Posted 27 April 2006 - 12:06 PM

Are you still in need of help?
Hi there, stranger!

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:09 AM

Posted 07 May 2006 - 08:48 AM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this Topic reopened, please PM a Staff member with the address of this thread.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users